Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

windowsservercore: urllib SSL errors #359

Open
lazka opened this issue Dec 4, 2018 · 16 comments
Open

windowsservercore: urllib SSL errors #359

lazka opened this issue Dec 4, 2018 · 16 comments
Labels
Issue

Comments

@lazka
Copy link

lazka commented Dec 4, 2018

I can't get SSL to work in the container, any ideas welcome:

docker run -it python:3.7.1-windowsservercore
>>> import urllib.request; urllib.request.urlopen("https://letsencrypt.org/")
Traceback (most recent call last):
  File "C:\Python\lib\urllib\request.py", line 1317, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "C:\Python\lib\http\client.py", line 1229, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python\lib\http\client.py", line 1275, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1224, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1016, in _send_output
    self.send(msg)
  File "C:\Python\lib\http\client.py", line 956, in send
    self.connect()
  File "C:\Python\lib\http\client.py", line 1392, in connect
    server_hostname=server_hostname)
  File "C:\Python\lib\ssl.py", line 412, in wrap_socket
    session=session
  File "C:\Python\lib\ssl.py", line 853, in _create
    self.do_handshake()
  File "C:\Python\lib\ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Python\lib\urllib\request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "C:\Python\lib\urllib\request.py", line 525, in open
    response = self._open(req, data)
  File "C:\Python\lib\urllib\request.py", line 543, in _open
    '_open', req)
  File "C:\Python\lib\urllib\request.py", line 503, in _call_chain
    result = func(*args)
  File "C:\Python\lib\urllib\request.py", line 1360, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "C:\Python\lib\urllib\request.py", line 1319, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1051)>
>>>
@tianon
Copy link
Member

tianon commented Dec 31, 2018

I've verified that this is indeed an issue, but I've no idea where to turn to figure out what's going on. 😞

@lazka
Copy link
Author

lazka commented Dec 31, 2018
edited
Loading

Thanks for checking. Yeah, information about this seems sparse.

One workaround (for users) would be to pip install certifi and set the SSL_CERT_FILE env var to the contained cacert.pem

@tianon
Copy link
Member

tianon commented Jan 3, 2019

As another data point, whether the error drops seems to depend on the site you're trying to hit; for example, doing urllib.request.urlopen("https://bootstrap.pypa.io/get-pip.py"), I do not get an error. 🤷‍♂️

@wglambert wglambert added the Issue label Jan 3, 2019
@mika-fischer
Copy link

I have the same issue, maybe this whould be forwarded to the Python people?

@tianon
Copy link
Member

tianon commented Feb 27, 2019 via email

@mika-fischer
Copy link

Well I have the issue also with mcr.microsoft.com/windows which is not so minimal anymore. Not sure what else to test.

I'll have a look and file a bug on the Python tracker.

@mika-fischer
Copy link

Created https://bugs.python.org/issue36137

@mika-fischer
Copy link

As a (limited) workaround, maybe this can be added to the images:

certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst && del roots.sst

But this really needs to be fixed in Python...

@tianon tianon mentioned this issue Jul 12, 2019
Merged
@tianon tianon mentioned this issue Apr 18, 2020
Closed
@SnehashishGiri

This comment has been minimized.

Sign in to view
@SnehashishGiri

This comment has been minimized.

Sign in to view
@SnehashishGiri

This comment has been minimized.

Sign in to view
@tianon

This comment has been minimized.

Sign in to view
@alfaro96 alfaro96 mentioned this issue Nov 16, 2020
Merged
@tianon
Copy link
Member

tianon commented Jun 8, 2022
edited
Loading

Looks like the latest on this is in https://bugs.python.org/issue36011 python/cpython#80192 (and that it's still a problem 😞).

@jacobdr jacobdr mentioned this issue Nov 5, 2022
Closed
4 tasks
@tianon
Copy link
Member

tianon commented Feb 13, 2025

I just tested this fresh, just to be certain, and it's definitely still an issue on the latest builds. 🙈

@LaurentGoderre
Copy link
Member

ServerCore seems to come with significantly fewer root authority (Only 2 compared to the dozen on my Windows host.

@LaurentGoderre
Copy link
Member

It seems the certificates are managed either by Windows Update or by Active Directory policy.

To install them in the container you can run the following Powershell script

certutil.exe -generateSSTFromWU .\rootcerts.sst
$sstFile = (Get-ChildItem -Path .\rootcerts.sst)
$sstFile | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tianon @mika-fischer @lazka @LaurentGoderre @SnehashishGiri @wglambert